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Insurance and the Emergency Preparedness: 

The 9/11 Commission Recommendations 

Summary 

The September 11, 2001, terrorist attack on the World Trade Center exposed 
vulnerabilities in the private sector’s ability to respond to and recover from 
emergencies and disasters. These events have caused government and business 
leaders, disaster experts and insurance experts, and industry representatives to rethink 
emergency preparedness and business continuity planning for the private sector. In 
its final report, released on July 22, 2004, the National Commission on Terrorist 
Attacks Upon the United States (9/11 Commission) urged the Department of 
Homeland Security (DHS) to help the private sector improve its capacity to respond 
to terrorist attacks by adopting emergency preparedness and business continuity 
standards developed by the National Fire Protection Association (NFPA 1600) and 
adopted by the American National Standards Institute (ANSI). The 9/11 
Commission also recommended that DHS take steps to encourage the insurance and 
credit-rating industries to voluntarily consider a company’s compliance with NFPA 
1600 when assessing insurability and creditworthiness. 

The 9/11 Commission did not provide guidance on the meaning of 
“insurability,” or on how an emergency preparedness standard might be integrated 
into insurance underwriting and pricing systems. Several issues could arise when 
insurers consider a company’s compliance with NFPA 1600 in the course of 
assessing insurability. First, if the 9/11 Commission recommendations on private 
sector emergency preparedness and business continuity standards are implemented, 
will the federal government broaden the scope and meaning of insurability to enhance 
private sector preparedness? While the 9/11 Commission did not recommend a 
federal mandate to the states to have insurers incorporate NFPA 1600 standards into 
policies, underwriting guidelines, or both (along with an appropriate actuarial-based 
reduction in rates or preferential risk treatment), this scenario might emerge as an 
unintended regulatory and legal issue for Congress. Second, most insurance experts 
would agree that despite an increase in the analytical capabilities of insurers to assess 
terrorism risk, there is a continued need for sufficient data and non-anecdotal 
research to demonstrate the potential insurance cost savings from adoption of 
emergency preparedness standards. Third, the linking of emergency preparedness 
and business continuity standards to insurability, which is essentially what the 9/1 1 
Commission envisions, will arguably work only if individuals and businesses have 
incentives to engage in voluntary mitigation action. Most experts observe that these 
actions will occur only when (1) individuals and businesses have knowledge and 
belief that a significant risk exists; (2) they measure the cost and benefit of taking 
steps to reduce losses; and then (3) they decide to act in order to survive. Finally, 
representatives of the business continuity industry note that before insurers can 
effectively implement the NFPA 1600 standards, policymakers, business leaders, and 
insurers must address the specific relevance of the business continuity planning 
(BCP) elements in the NFPA 1600 standard to insurance underwriting and pricing. 
This report analyzes potential issues that might arise by complying with NFPA 1600. 

This report will be updated as legislative developments warrant. 
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Insurance and Emergency Preparedness: 
The 9/1 1 Commission Recommendations 



Introduction 

The use of insurance as a tool in emergency management and business 
continuity management (BCM) planning has taken on a new sense of urgency among 
policymakers and business leaders in light of terrorist attacks and the continued threat 
of emergencies and disasters. 1 Terrorist attacks, earthquakes, hurricanes, tornadoes, 
power outages, and cyber attacks are just a few of the potential issues facing all 
organizations. Realizing that unpredictable disruption and downtime in the private 
sector could affect the U.S. economy, possibly with billions of dollars in lost or 
interrupted operations, the National Commission on Terrorist Attacks Upon the 
United States (9/11 Commission) recommended that the NFPA 1600 “Standard on 
Disaster/Emergency Management and Business Continuity Programs,” developed by 
the National Fire Protection Association 2 and endorsed by American National 
Standards Institute (ANSI), 3 serve as the national preparedness standard for all 
organizations, including governments and businesses. The NFPA 1600 Standard 
defines how the private sector should prepare for a catastrophe and continue or 
recover its critical functions in the event of a disruption or major disaster. The 9/11 
Commission’s final report, dated July 22, 2004, also urged the Department of 
Homeland Security (DHS) to promote private sector adoption of NFPA 1600 and to 
encourage the insurance and credit-rating industries to consider a company’s 
compliance with this standard when assessing insurability and creditworthiness. 4 

Several reasons were cited for the 9/1 1 Commission’s recommendation to adopt 
the NFPA 1600 Standard: 



1 Business continuity management (BCM) planning is concerned with assuring continuous 
business processes after a disruption. BCM is a key component of comprehensive 
emergency management, which encompasses disaster planning and preparedness, hazard 
identification and mitigation, emergency response, disaster recovery, business continuity 
and crisis management. 

2 [http://www.nfpa.org/catalog/home/AboutNFPA/NFPAOverview/NFOAOverview.asp], 
visited Aug. 1 1 , 2004. 

3 [http://www.ansi.org/news_publications/news_story.aspx?menuid=7&articleid=718], 
visited Aug. 1 1 , 2004. 

4 U.S. National Commission on Terrorist Attacks Upon the United States, The 9/11 
Commission Report (Washington: GPO, 2004), p. 398. The report is available online at 
[http://www.9-llcommission.gov], visited September 28, 2004. 




http://wikileaks.org/wiki/CRS-RL32646 



CRS-2 



• private sector organizations own and manage the vast maj ority of the 
critical infrastructure in the United States; 

• the first people called upon to respond to a terrorist attack will likely 
be civilians; and 

• the private sector remains largely unprepared for a terrorist attack 
because of a lack of a private sector emergency management 
preparedness standard on rescue, restart, and recovery of operations. 



Emergency Preparedness and 
NFPA 1600 Standards 

One of the key findings of the 9/11 Commission was the need for the private 
sector to prepare for potential future terrorist attacks and other emergencies. The 
9/1 1 Commission Report stated: 

Private-sector preparedness in not a luxury; it is a cost of doing business in the 
post-9/1 1 world. It is ignored at a tremendous potential cost in lives, money, and 
national security. 5 

According to the 9/11 Commission, America’ s vulnerability to terrorists attacks 
and other emergencies stem in part from the lack of a widely acceptable national 
standard for emergency preparedness and business continuity planning in the private 
sector. Although the NFPA 1600 Standard currently serves as a benchmark for 
emergency management and business continuity programs in both the public and 
private sectors, the private sector has not widely embraced the standard. NFPA 1600 
offers methodologies for defining and identifying risks and vulnerabilities, and 
provides planning guidelines that address the restoration of physical infrastructure, 
the health and safety of personnel, crisis communications procedures, and 
management structures for both short-term recovery and ongoing long-term 
continuity of operations. The standard is not a series of detailed requirements; it is 
a basic outline of what belongs in a disaster/emergency management program. It is 
designed to apply to a wide range of entities, including government agencies, private 
companies, nonprofit agencies, and other organizations with emergency management 
responsibilities. 6 

Business preparedness and the adoption a national preparedness standard are 
widely considered key to recovery, and the U.S. Department of Homeland Security 
(DHS) has arguably taken steps in this direction. On September 23, 2004, the DHS, 
in partnership with the Advertising Council and several business organizations, 
established the “Ready Business” national public service advertising campaign to 
educate and empower companies on how to prepare for and respond to natural and 



5 Ibid. 

6 For more information, see CRS Report RL32520, Emergency Management Preparedness 
Standards: Overview and Options for Congress , by Keith Bea. 
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human-caused disasters. 7 The “Ready Business” campaign is an extension of DHS’s 
successful “Ready” campaign, which reportedly has helped millions of individuals 
and families prepare for emergencies. 8 The “Ready Business” campaign offers 
businesses practical information on such things as evacuation plans, fire safety, and 
protecting business investments by securing facilities and equipment and reviewing 
insurance coverage. 9 



Major Participants in Emergency Preparedness 

The federal government is only one participant in a complex set of interlocking 
institutions the nation utilizes for managing the consequences of disasters and 
emergencies. The other major participants are state and local governments and the 
private sector, which includes individuals, businesses, and insurance companies. The 
role of these major participants in emergency management preparedness is examined 
below. 

Federal Government 

The federal government provides early warning and financial and technical 
assistance for emergency planning. It also provides emergency assistance to help 
individuals, businesses, and public entities recover from the consequences of a major 
disaster. Benefits under these programs generally are triggered by a range of federal 
authorities. 10 

State and Local Governments 

State and local governments play critical roles through land use controls, the 
adoption and enforcement of building codes, and the regulation of insurance markets. 
Local governments are also the first line of action for post-disaster response and 
recovery. If localities are overwhelmed, they may request assistance from the state 
or federal government. These institutions and the incentives they create are highly 
interdependent. 

Private Sector 

The private sector — individuals and businesses — can pre-fund and diversify 
risk by financing potential losses through insurance, reinsurance, self-insurance, and 



7 [http://www.dhs.gov/dhspublic/interapp/press_release/press_release_0523.xml], visited 
September 30, 2004. 

8 [http://www.dhs.gov/dhspublic/display?theme=44&content=4049&print=true], visited 
September 30, 2004. 

9 [http://www.dhs. gov/dhspublic/display?theme=43&content=4034&print=true], visited on 
October 1 , 2004. 

10 For references to federal assistance programs, see CRS Report RL3 1734, Federal Disaster 
Recovery Programs: Brief Summaries, by Ben Canada. 
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capital from financial institutions and the investment community. Individuals and 
businesses may also use damage prevention or loss mitigation techniques to reduce 
the frequency and extent of damage. 

Insurance Industry 

The insurance mechanism is considered an efficient tool in not only the 
management of risks, but also emergency management preparedness. 11 According 
to emergency management experts, many companies do not plan for or have adequate 
internal financial resources to pay for expenses associated with recovery from a 
major disaster. They rely on external financial resources — e.g., insurance industry 
payments or government disaster assistance — to recover from a disaster. Insurance 
payments can serve as a major source of funds to rebuild communities and put lives 
back together after a disaster. In order to better prepare the nation for possible future 
terrorists attacks, the 9/11 Commission recommended that insurance companies 
consider a company’s compliance with the voluntary national emergency 
preparedness and business continuity standard (NFPA 1600) when assessing 
insurability. 

When a business is forced into a total or a partial shutdown because of damage 
inflicted by a natural or human-caused disaster, the economic consequences to the 
business and the community are costly. The business property may be physically 
damaged and remain unavailable for use due to a disruption of essential utility 
services (e.g., electricity, gas, telecommunications, sewer, and water) and/or access 
to critical suppliers; employees may not be able to come to work because the work 
site remains dangerous; and customers may not be able to reach the premises due to 
infrastructure damage. 

Businesses typically cover their direct costs of rebuilding, renovating, or 
replacing the damaged property and the indirect cost of lost income by either insuring 
themselves by setting aside money to cover possible losses (self-insurance) or 
purchasing commercial insurance. Self-insuring disaster loss exposures might occur 
either intentionally or by default. Businesses may intentionally self insure by 
determining how much loss they can fund internally (“retain”), adopting a plan for 
funding those retained losses, and buying insurance to cover larger losses. Many 
businesses make no advance plans for financing losses and, by default, self-fund 
unpredictable losses. This usually happens because a business fails to identify a 
hazard, believes it has no options for addressing the hazard, or relies on the 
government to cover all its post-disaster needs. 



11 Some economists argue that when insurance is compared to disaster relief and/or federal 
tax policy, the insurance mechanism is the most efficient and equitable method of 
compensating disaster victims for several reasons: ( 1) it provides a better method to reduce 
risk by incorporating incentives for individuals and firms to adopt loss reduction measures; 
(2) it provides more complete compensation for damages; (3) it is considered more equitable 
because the people who pay for protection will typically receive the benefits; (4) it gives 
people more control over their degree of protection; and (5) it is more efficient in dispensing 
payments. 
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Commercial insurance offers the opportunity to cover the cost of recovery after 
a major disaster. In January 1986, the property and casualty insurance industry 
unveiled the Simplified Commercial Lines Portfolio (SCLP) policy as a new 
approach to commercial insurance. The SCLP has seven separate sets of coverages 
from which the insured can pick and choose. 12 Businesses may use use one policy 
to meet most of their insurance needs. 13 Basic protection for buildings and personal 
property in the SCLP, for example, is provided under the Building and Personal 
Property Coverage form (BPP). Business income and interruption and extra expense 
coverage protects a business against temporary loss of net income rather than its 
property. It is customarily included by endorsement on an insured’s commercial 
property coverage. As with all types of policies, there are broad policy coverage 
exclusions with respect to certain hazards (floods, earthquakes, wind, and acts of 
terrorism) and the actions of the insured. 

While commercial insurance does not guarantee a business’s post-disaster 
survival, it is an important strategic element in emergency preparedness and business 
continuity planning in the private sector. Given the importance of insurance in 
managing disaster risks, it was reasonable to expect the 9/11 Commission to 
recommend that the insurance industry consider a company’s compliance with a 
national emergency standard when assessing insurability. The challenge is to find a 
way to incorporate a company’s adherence to an emergency standard into the 
insurer’s decision to insure a risk — i.e., insurability. 



Insurability of Risk and Standards 

The term “insurability” refers to the process by which an insurance company 
sets a premium that accurately reflects the applicable risk. While the setting of a 
price is important, it is also critical for the insurer to be able to offer a policy that is 
marketable. What makes a risk insurable and an insurance policy marketable? This 
report will discuss insurability in the next section. With respect to marketability, it 
is important to note that a particular risk might meet the insurability conditions, but 
the policy will not come to the market if the insurer lacks the confidence that there 
is sufficient demand to cover the cost. In theory, demand occurs because the 
potential policyholder is risk- averse and willing to pay a relatively small premium for 
protection against a large loss. Demand might also depend on the existence of 
standards (or criteria) that provide threshold limits governing professional behavior 
accepted by all potentially insured parties. 14 These standards are typically imposed 



12 The SCLP policy provides coverages for commercial property, liability, crime, boiler and 
machinery, commercial auto, inland marine, and farm. 

13 Under SCLP, workers’ compensation must be purchased separately. 

14 State licensing boards and professional societies typically prepare standards of 
professional behavior, and the insurance industry will incorporate these standards into their 
pricing or underwriting schemes. Professional standards promulgated by the state licensing 
board will be consistent with the standards of proof required and the exceptions to a finding 
of negligence that are codified in state statue. The practical impact of the standard in the 

(continued...) 
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through government regulation or financial institution requirements, not the insurer. 

Insurance experts observe that two conditions must be met for a particular risk 
to be insurable: the ability to identify and quantify the risk; and the ability to set 
premiums for each potential customer or class of customers. 

First, in order to identify the risk, the insurer must estimate the frequency of 
specific events occurring and the magnitude of the loss should the event occur. The 
insurer needs loss experience data from many kinds of perils and hazards to perform 
this task. Unfortunately, from the standpoint of establishing rates, some events, like 
acts of terrorism, are very infrequent and there is limited data available upon which 
to base premiums. Insurers must therefore rely on scientific studies and computer- 
generated and mathematical models to develop estimates of the frequency of events, 
as well as the damage that is likely to occur from these events. 

Second, for a risk to be insurable, the insurer needs the ability to set premiums 
in such a manner that the company makes a profit. The insurance industry has well 
developed methods of classifying and selecting what risks to insure, and what price 
to charge. Insurers apply certain business tests of insurability when considering what 
premium to set for a particular risk. 15 This process is called “underwriting” and is 
analogous to what the 9/11 Commissioners refer to as “insurability.” The act of 
underwriting requires underwriters to exercise judgment based on a clear 
understanding of the hazards associated with each kind of coverage as well as 
adverse selection, 16 moral hazards 17 and correlated risk facing various entitites in the 
private sector. 

In deciding whether to issue an insurance policy, the underwriter gathers 
information from many sources, including the application itself, the recommendation 



14 (...continued) 

medical profession, for example, is to enhance the marketability of medical malpractice 
liability insurance for physicians. The professional standard created the demand for the 
insurance product that protects the doctor from civil liability, the patient from medical error, 
and the insurer from losses stemming from inappropriate professional behavior. 

15 For example, insurers generally use a four-test criteria to determine the insurability of 
risks (i.e., whether to underwrite a risk): (1) calculability of the risk, which refers to the 
presence of sufficient loss data to statistically estimate the chance of future losses and 
possible variations from the estimate; (2) certainty of loss, which refers to the ability to 
define the loss that has occurred; (3) the absence of catastrophic potential or the possibility 
that the losses may be of sufficient magnitude to destroy the financial stability of the insurer; 
and (4) whether insured losses are accidental rather than intentional. 

16 Adverse selection occurs when the insurer cannot distinguish between the probability of 
loss for different risk categories. The insurer loses money on a policy if only poor risks 
purchase the coverage. 

17 Moral hazard occurs when there is a tendency of insurance protection to change the 
behavior of the customer such that the policyholder does not try to avoid misfortune, and 
may act to bring it on. 

18 Correlated risk occurs when there is the simultaneous occurrence of many losses from a 
single event. The impact of correlated risks is the possibility of insurer insolvency. 
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of the agent or broker who accepts the application, insurance company inspectors and 
engineers, private inspection companies, and other insurance industry support 
organizations that maintain centralized files for certain types of risks. 

Underwriters also rely on various standards and procedures. Using data and 
other information generated internally or from insurance support agencies, insurers 
typically publish internal underwriting company guidelines and pricing charts that 
help underwriters perform their job in a manner consistent with the company’s 
business strategy. In support of this industry-wide practice, the A. M. Best Company 
publishes the Best’s Underwriting Guide for Commercial Lines and Best ’s Loss 
Control Engineering Manual , which are technical guides designed for insurance 
inspection, underwriting, loss control, and safety engineering personnel. These 
guides cover more than 700 risk classifications, offering information on loss 
exposure and loss prevention in various categories of businesses that are covered by 
the different types of property and casualty lines of insurance. 

As an illustration, an insurance underwriter reviewing an application for 
insurance from a barber shop might refer to the Best ’s Underwriting Guide for 
Commercial Lines under Standard Industrial Classification (SIC) code 7231 (beauty 
shop) or SIC 7241 (barber shop) to obtain the standards that might apply to the 
various risks facing these businesses. In this case, the underwriter might refer to the 
Guide and determine whether the barber shop’s cleaning supplies and hair solutions 
are in compliance with NFPA 30, Flammable and Combustible Liquids Code. NFPA 
30 covers the storage, handling, and use of flammable and combustible liquids, 
including waste liquids. 

Building from the 9/11 Commission recommendation and the above illustration 
of the role standards play in business practices, DHS could encourage insurers, 
advisory organizations and rating bureaus to consider integrating NFPA 1600 
Standard into their underwriting and pricing schemes so that the private sector — 
reflecting the 700 risk classifications — could undertake efficient risk management 
processes and hence be better prepared to respond to emergencies. Businesses that 
comply with the standards set by insurers might be granted less expensive insurance 
rates. 



Standards in Insurance Underwriting and Pricing 

Major insurance industry participants, including insurers, trade associations, 
advisory organizations, and rating bureaus, already support the establishment of 
emergency preparedness management and business continuity planning standards for 
individuals and businesses. Four examples of activities might be presented. 

First, with respect to potential cyber attacks, the insurance industry currently 
plays an important role in securing cyberspace by creating national standards for risk- 
transfer (insurance) mechanisms, 19 working with the government to increase the 



19 [http://www.securityfocus.com/news/361], visited October 25, 2004. 
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awareness of cyber risks 20 and collaborating with leaders in the disaster preparedness 
industry to promote best practices for businesses. 21 

Second, the Insurance Service Office (ISO) administers the Public Protection 
Classification (PPC) program, which grades a community’s public fire protection 
capabilities. 22 Under the PPC program, each local fire department’s firefighting 
capability is ranked on a scale of 1-10 under ISO’s Fire Suppression Rating Schedule 
(FSRS). Each community’s insurance rates are based, in part, on this FSRS rating. 
The FSRS includes factors such as water supply and whether its fire fighters are full- 
time paid employees or volunteers. 

The PPC program has played a critical role in the property and casualty 
insurance business and the availability of affordable homeowners’ and commercial 
property coverage. Virtually all U.S. insurers of homes and business property use 
ISO’s PPC to establish appropriate fire insurance premiums for residential and 
commercial properties. The ISO classification is correlated to actuarially derived 
rating factors used in setting fire insurance premiums. The rating factors are 
developed using historical loss experience data and represent a relationship between 
loss experience and the PPC. 

Third, the use of ISO’s Building Code Effectiveness Grading Schedule is 
another way in which emergency preparedness standards are incorporated into 
insurance underwriting and pricing. In the 1980s, the insurance industry discovered 
that the level of building code enforcement affected the cost of claims. However, it 
was not until Hurricane Andrew in 1992 that a new organization, the Insurance 
Institute for Property Loss Reduction (IIPLR) launched a study to develop better 
wind and seismic building codes so structures could better withstand the force of 
storms and earthquakes. The work of the IIPLR led to the development by ISO of a 
building code compliance rating system, similar to the fire protection rating system. 
The ISO Building Code Effectiveness Grading Schedule (BCEGS) assesses the 
building codes in effect in a particular community and the community enforcement 
of these codes. The BCEGS takes into account factors such as (1) the size of the 
community’s building code enforcement budget relative to the amount of building 
activity; (2) the professional qualifications of building inspectors; and (3) past code 
enforcement levels. By incorporating the BCEGS into the underwriting and pricing 
process, communities have incentives to undertake mitigation activities such as the 
use of certain roofing material, the installation of hurricane shutters, and the 
identification of appropriate load combinations for buildings. 



20 [http://www.propertyandcasualty.com/content/news/article.asp?docid={0981 135a-fel 1- 
4684-ae57-cf909d5d6el8}&VNETCOOKIE=NO]. 

21 See [http://www.tripwiresecurity.com/press/pr.cfm?prid=49], visited October 25, 2004. 

22 The Insurance Services Office, Inc. (ISO) is a private, independent organization that 
provides statistical and actuarial information, policy forms and related services to 
insurers. ISO also serves insurance regulators, fire departments, and other organizations 
that provide information about risk. For more information on ISO’s PPC, see 
[http://www.iso.com/products/2400/prod2403.html], visited October 4, 2004. 
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With the availability of BCEGS, insurers and state insurance regulators 
combined forces under the auspices of the National Association of Insurance 
Commissioners (NAIC) to develop and encourage states to adopt model insurance 
laws, regulations and guidelines on building codes. Insurers now offer discounts on 
property insurance premiums to property owners and businesses located in 
communities with enforced, up-to-date building codes that conform to BCEGS 
standards. Communities with a BCEGS grade of 1 (reflecting exemplary 
commitment to building-code enforcement), for example, can demonstrate better loss 
experience, resulting in lower insurance premiums. The BCEGS program was 
initially implemented in states with high exposure to wind (hurricane) and seismic 
exposure, but now is available throughout the rest of the country. 

Fourth, since the early 1900s, the construction industry has attempted to 
formulate standardized practices for every aspect of the building industry, and the 
insurance industry recognizes those standards in its insurance policies and pricing 
schemes. 23 In fact, the first model building codes in the United States were 
developed in 1905 by the National Board of Fire Underwriters, an insurance industry 
organization. 



Potential Issues for Congress 

Several potential insurance-related issues could arise as policymakers consider 
the 9/11 Commission’s recommendation on emergency preparedness and business 
continuity standards in the private sector. 

First, if the 9/11 Commission recommendations on private sector emergency 
preparedness and business continuity standard are implemented, will the federal 
government broaden the scope and meaning of insurability to enhance future private 
sector preparedness? While the 9/11 Commission did not recommend a federal 
mandate to the states to have insurers insert NFPA 1600 Standards into policies and 
underwriting guidelines along with an appropriate actuarial-based reduction in rates 
or preferential risk treatment, such an unintended regulatory and legal scenario might 
emerge in the future. 24 What are the implications for state insurance regulation of 
insurance underwriting and pricing should the states adopt the NFPA 1600 
standards? 

Several things are known about insurance regulation, particularly with respect 
to rates: (1) insurance is regulated by the states; (2) the rate regulation process — i.e., 
prior approval vs open competition — may vary for different kinds of insurance 



23 For more information on ANSI-accredited NFPA 5000, Building Construction and Safety 
Code, see [http://www.contractormag.com/articles/newsarticle.cfm?newsid=126], visited 
October 25, 2004. 

24 Congress specifically reaffirmed the authority of states to regulate the insurance industry 
when it enacted the McCarran-Ferguson Act of 1945 (PL 79-15; 59 Stat. 33, March 9, 
1945). Thus, under current law, the regulation of the business of insurance in the United 
States is carried out at the state level, and this business is substantially exempt from federal 
antitrust laws. 
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within the same jurisdiction; and (3) states may change the method used to oversee 
rates for a given kind of insurance if market conditions change. 25 Thus, depending 
on the type of rate regulation system in a particular state, a regulator could require a 
reduction in rates to reflect adoption of certain standards. Could this reduction in 
rates be judged a federal mandate, given that the DHS might instruct insurers to 
consider NFPA 1600 in their pricing and underwriting system? What would be the 
role of Congress to resolve this matter, given the existence of the McCarran-Ferguson 
Act of 1945 that delegates the regulation of the business of insurance to the states? 

From an insurance company perspective, it makes good business sense to 
provide insurance services and price and sell policies that incorporate elements of 
emergency preparedness and business continuity standards. The reason is simple: a 
reduction in potential losses through emergency preparedness standards could lead 
to lower claims for insurance companies . Any federal involvement (or perception of 
involvement) in insurance rate-making (regulation) would be widely viewed as a 
departure from the stance the Congress has taken since the enactment of the 
McCarran Ferguson Act of 1945 that leaves exclusively the regulation of the business 
of insurance to the states. Since 1945, Congress has on several occasions 
investigated the availability and affordability of insurance and the efficiency and 
adequacy of state insurance regulation, but chose to leave things as they are without 
intervening in state rate regulation. State insurance regulators have always responded 
to congressional concerns in such a manner as to avoid congressional intervention in 
the state insurance regulatory process. 

Second, insurers have a long way to go when it comes to assessing the link 
between terrorism risk and adoption of emergency preparedness standards in a non- 
anecdotal manner. While terrorism modeling has come a long way since 9/11, it is 
no substitute for the actuarially credible data on which most insurance rates are based 
(potentially millions of observations over extended periods of time). Instances of 
major terrorist attacks, especially in the United States, are few. The only three data 
points in the United States are the two World Trade Center terrorists attacks and the 
1995 Oklahoma City bombing (domestic terrorism). While it stands to reason that 
the risk mitigation measures taken by businesses — i.e., compliance with NFPA 
1600’s emergency preparedness and business continuity standards — would likely 
reduce the probability and severity of some types of attacks, it is unclear if the 
aggregate risk would be reduced (shift to soft targets, different means of attack, etc.). 
The dynamic strategies of would-be terrorists are impossible to fully insure against 
— in contrast to insuring against natural disasters. Given their fiduciary and 
regulatory responsibility to shareholders, most insurers are not likely to voluntarily 
reduce rates without data that quantify the level of savings that can be achieved with 
the adoption of standards designed to reduce aggregate risk. Could this situation 
hamper the full adoption of standards within the insurance industry? 



25 State insurance regulators have adopted several methods of regulating insurance rates that 
fall into two categories: “prior approval” and “competitive.” Prior approval means the 
insurer must file the rates with the regulator and obtain approval before using them in the 
market. Competitive rate regulation allows insurers to adopt new rates without having to 
wait for regulatory approval, albeit rates must still be filed with the regulator. 
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Third , the linking of emergency preparedness and business continuity standards 
to insurability, which appears to be what the 9/11 Commission envisions although 
not specifically mentioned in the 9/11 Report, would work only if individuals and 
businesses have incentives to engage in voluntary mitigation action. Most experts 
observe that these actions would occur only when individuals and businesses have 
knowledge and belief that a significant risk exists, they measure the cost and benefit 
of taking steps to reduce losses, and then decide to act in order to be prudent. 

The point here is that any effort to enhance the nation’ s emergency management 
response capabilities by linking emergency preparedness and business continuity 
standards to insurability (underwriting and pricing) must involve committed 
individuals and businesses. Two fundamental issues are (1) what incentives would 
most likely motivate private individuals and businesses to engage in voluntary 
mitigation action; and (2) at what expected loss level or threshold does the mitigation 
of risks shift from being a set of private mitigation decisions to the level of a public 
problem possibly requiring federal regulation? That is, should the government set 
the primary standards for mitigation risks? Experts in the disaster and insurance 
arenas generally agree that voluntary action by individuals and businesses is 
necessary in order to reduce disaster risks. Voluntary action is likely to occur when 
there is knowledge and belief that a significant risk exists, and when the following 
criteria are met: 

• the risk is large when compared to other issues that demand attention 
and resources; 

• there are significant incentives (i.e., premium or deductible 
reductions or both) to warrant a decision to invest in mitigation 
action; and 

• the risk of loss cannot be transferred to others (i.e. , insurance and/or 
government relief not available). 

Finally, representatives of the business continuity industry note that before 
insurers can effectively implement the NFPA 1 600 standards, policymakers, business 
leaders, and insurers must address the specific reference to business continuity 
planning (BCP) in the standard itself. 26 BCP is a comprehensive process that 
includes disaster recovery, business recovery, business resumption, contingency 
planning and crisis management. Some business continuity experts have argued that 
business continuation is embedded within emergency management and disaster 
recovery planning provisions of the standard. From an insurance company 
perspective, more refinement of the NFPA 1600 might be needed that includes 
features of business continuity planning that an insurer can more readily adopt in its 
underwriting and pricing schemes. 

Given the demonstrated expertise insurers possess in working with the building 
industry and other industries in the private sector, the DHS could encourage insurers, 
insurance industry associations, advisory organizations and rating bureaus to 



26 [http://www.davislogic.com/NFPA1600.htm], visited October 25, 2004. 
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integrate NFPA Standard 1600 into their marketing, underwriting, and pricing 
schemes. 



Conclusions 

The September 11, 2001 terrorist attack on the World Trade Centers exposed 
vulnerabilities in the private sector’s ability to respond to and recover from 
emergencies and disasters. According to the 9/11 Commission, this vulnerability 
stems in part from the lack of a widely acceptable national standard for emergency 
preparedness and business continuity planning in the private sector. 

It was not surprising that the 9/11 Commission alluded to the insurance industry. 
The insurance industry is a major source of post-disaster recovery financing and 
insurers are accustomed to either using or getting other customers to use standards 
in its normal business practices. 

The Department of Homeland Security (DHS) was designated to take the lead 
in encouraging the insurance and credit-rating industries to voluntarily consider a 
company’s compliance with NFPA 1600 when assessing insurability and 
creditworthiness. The 9/1 1 Commission, however, did not provide guidance on the 
meaning of “insurability” or how an emergency preparedness standard might be 
integrated into insurance underwriting and pricing systems. 

The key to understanding this 9/11 Commission recommendation rests with a 
grasp of the connection between the insurability of risk and standards. The term 
“insurability” refers to the process by which an insurer sets a premium that accurately 
reflects the applicable risk. While the setting of an insurance premium is important, 
the marketability of policies that incorporates NFPA 1600 Standards is equally 
important. There must be market demand for the policy if it is to be offered by an 
insurer. One way to effect demand for a policy that indirectly requires businesses to 
adopt emergency management preparedness standards might be through the 
imposition of those standards by government regulation, by financial institution 
requirements or both. Another way to stimulate demand would occur naturally by 
the reaction of potential customers who are risk averse and are willing to pay a 
premium for protection against a large loss. 




